ASP.Net MVC forged claim token still working

Question

I have an asp.net MVC 4 project in .Net 4.5.

I have set up Claim based authentication to protect my site.

I have a very strange behavior after logging in. If I edit the FedAuth cookie and change a value by hand in the token part, if I try to refresh my page it will work.

In my web.config I have this:

<configSections>
  <section name="system.identityModel" 
           type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
  <section name="system.identityModel.services" 
           type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</configSections>

...

<modules>
  <remove name="FormsAuthentication" />
  <remove name="WindowsAuthentication" />
  <add name="SessionAuthenticationModule" 
       type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</modules>

...

<system.identityModel>
  <identityConfiguration>
    <claimsAuthorizationManager 
      type="Project.Web.MyClaimAuthorizationManager, Project.Web, Version=1.0.0.0, Culture=neutral" />
    <securityTokenHandlers>
      <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    </securityTokenHandlers>
  </identityConfiguration>
</system.identityModel>

I am registering this filters in my project

    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new AuthorizeAttribute());
    }

I create a token like that

    public void IssueAuthTicket(string nameIdentifier, string name, bool persist)
    {
        var claims = new List<Claim>
                         {
                             new Claim(ClaimTypes.NameIdentifier, nameIdentifier),
                             new Claim(ClaimTypes.Name, name)
                         };
        var ci = new ClaimsIdentity(claims, "Forms");
        var cp = new ClaimsPrincipal(ci);

        var token = new SessionSecurityToken(cp);
        FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(token);
    }

If I base64 decode the token I have this

<?xml version="1.0" encoding="utf-8"?>
<SecurityContextToken xmlns:p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" p1:Id="_b686b435-7153-44c4-816f-f5aba60d4ee8-86A9E23C43E7AFDA5B390C4EEDD7C694">
<Identifier>urn:uuid:667635fb-c98e-4cf0-be9e-805957589876</Identifier>
<Cookie xmlns="http://schemas.microsoft.com/ws/2006/05/security">v6KYxH2MmIw2IHWasLfLF5DvE8r8mzpcB6FCUZjIJAfrVBruiqxTujm3ZAdGlNRHt6xarPtnOhuBBNm1nAGrInz46fjK5Wu+8aWQpQBczWyceeummyn8SLt2Wr49J6q2A6k7QC73KR7eIuLATkWmQT2AQco42oPi2a+3x/TSOi/ZIjLWeLlomeFF7/j8uhoVxxhDir2Hamp66L5UPhQaUvhq5UfZR5AS0Y17OmXbVdKqSn5x8+7KtJ85CXavvijDibd5AFTwc7sAK66w6n5jKDxxyfYOH4w8jrMB5OpP0o0rWnfOAut7jFq+ECHPGSWs4acXVIAM9wMvryRxo0cnREVgyn1UX/jDnX8PmwaVgo9aCyjPKPgUhaYPL6lV6AYneQTZTUxjd2nB+P9raM9Kp2wsn8lxVZ7vmmK/ZL15S51bHcDWRdG7GDpxv2IhFMnZnBxltDEEkA/G6mYDR7Vl/x5HfoTADfJXmsrhAa8W6t+IudPIePNKZrKZVGnlatYFrKdAjQwn4/7aOS+Zk11E2PuD8GP6BLs5ADgjODxm06bPVWTEItbdi5sT5L6B0bnfPpI0LNUTaLgKvfxd8JLggtIEiGnkr0kHz6+p/KMVglwm9HZp60ojh2uf98YzdsH5DQ/iPwTduFPy9JtgdMGytfsMW0GHAhtM0FY1yPD8mgSryoYdF7IaBnC1fvZ3ZnMimaNRCv7MXt0LnJbT31cHFrH3V+VJ6xCibDK7Jhp1fHlZTEpE6FDZo9P6cNvj3xnNrsKn4lmecUNeHo9fZRwk0yCBfzqPOSvjzfKJNf8vy3A=</Cookie>

And change the first char of the cookie element like that (v -> 1)

<?xml version="1.0" encoding="utf-8"?>
<SecurityContextToken xmlns:p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" p1:Id="_b686b435-7153-44c4-816f-f5aba60d4ee8-86A9E23C43E7AFDA5B390C4EEDD7C694">
<Identifier>urn:uuid:667635fb-c98e-4cf0-be9e-805957589876</Identifier>
<Cookie xmlns="http://schemas.microsoft.com/ws/2006/05/security">16KYxH2MmIw2IHWasLfLF5DvE8r8mzpcB6FCUZjIJAfrVBruiqxTujm3ZAdGlNRHt6xarPtnOhuBBNm1nAGrInz46fjK5Wu+8aWQpQBczWyceeummyn8SLt2Wr49J6q2A6k7QC73KR7eIuLATkWmQT2AQco42oPi2a+3x/TSOi/ZIjLWeLlomeFF7/j8uhoVxxhDir2Hamp66L5UPhQaUvhq5UfZR5AS0Y17OmXbVdKqSn5x8+7KtJ85CXavvijDibd5AFTwc7sAK66w6n5jKDxxyfYOH4w8jrMB5OpP0o0rWnfOAut7jFq+ECHPGSWs4acXVIAM9wMvryRxo0cnREVgyn1UX/jDnX8PmwaVgo9aCyjPKPgUhaYPL6lV6AYneQTZTUxjd2nB+P9raM9Kp2wsn8lxVZ7vmmK/ZL15S51bHcDWRdG7GDpxv2IhFMnZnBxltDEEkA/G6mYDR7Vl/x5HfoTADfJXmsrhAa8W6t+IudPIePNKZrKZVGnlatYFrKdAjQwn4/7aOS+Zk11E2PuD8GP6BLs5ADgjODxm06bPVWTEItbdi5sT5L6B0bnfPpI0LNUTaLgKvfxd8JLggtIEiGnkr0kHz6+p/KMVglwm9HZp60ojh2uf98YzdsH5DQ/iPwTduFPy9JtgdMGytfsMW0GHAhtM0FY1yPD8mgSryoYdF7IaBnC1fvZ3ZnMimaNRCv7MXt0LnJbT31cHFrH3V+VJ6xCibDK7Jhp1fHlZTEpE6FDZo9P6cNvj3xnNrsKn4lmecUNeHo9fZRwk0yCBfzqPOSvjzfKJNf8vy3A=</Cookie>

I reencode this in base64 and inject it the FedAuth cookie, it still works

Any idea on where I should start looking to solve this?

Thanks

Answer 1

OK - I think I now remember how that works -

When the session cookie is written, it is also cached in memory (regardless of IsReference mode). At read time, the identifier in the cookie is used to try to rehydrate the session token from the cache first. Only if this fails, the actual cookie is used (I guess to save the cost of validation).

This explains what you see. Modifying the identifier will make the request fail.